Database Administrators Stack Exchange is a question and answer site for database professionals who wish to improve their database skills and learn from others in the community. It's 100% free, no registration required.

I'm testing an oracle based application and I've found the following code:

Query = "SELECT name FROM employees WHERE id='"+PKID+"';"

i.e. the query string contains quotes around the PKID value which is obtained straight from the URL.

Obviously, this is a classic SQL injection waiting to happen...except the application is behind CA SiteMinder which blocks any URL with a single quote (in any form) from being passed to the application.

Is there any way to break out of the string and inject SQL without using a single quote?

Edit: Sorry, I should have been clearer - I understand how it should be written, but I need to persuade people that it's an exploitable issue. At the moment because it's behind siteminder which blocks single quotes so it's going to be a low priority fix.

3 Answers
3

Yes, it is possible to perform an SQL injection attack without supplying quotes in the parameter.

The way to do this is with an exploit to do with how numbers and/or dates are processed. You can specify at the session level what the format of a date or number is. By manipulating this you can then inject with any character.

By default in the UK and US, a comma is used to indicate the thousands separator in numbers, and a full stop for the decimal point. You can change these defaults by executing:

alter session set nls_numeric_characters = 'PZ';

This means that "P" is now the decimal point and "Z" is the thousands separator. So:

0P01

Is the number 0.01. However, if you create a function P01, the object reference will be picked up before number conversion. This allows you to execute functions on the database giving you increasing powers, as follows:

No quotes anywhere, but we've still managed to execute the "hidden" function P01 and create the table t!

While this may be difficult to do in practice (and may require some internal knowledge/help), this does show that you can inject SQL without having to have quotes. Altering the nls_date_format can allow similar things to be done.

The original findings for numbers were by David Litchfield and you can read his paper here. You can find Tom Kyte's discussion of how dates can be exploited here.

He is not asking about ways to prevent the inject but about ways to abuse it.
–
JeffFeb 11 '13 at 20:59

1

@jeff The OP also asks for reasons to not use this kind of code. Not using bind variables destroys performance so this is a good reason to always use them.
–
Vincent MalgratFeb 12 '13 at 9:35

@Vincent Malgrat: "Not using bind variables destroys performance" is wrong.It is true that recompilation of a statement can be avoided by using bind variables. Also the shared pool will be flood by a lot of similiar statements if you don't use bind variables. Nevertheless the optimizer has less information for building a plan if one uses bind variables instead of literal values. There are situations where there should be selected different plans depending on the values of the bind variables (or the literal values).
–
miracle173Feb 13 '13 at 8:46

@miracle173 Of course there will be exceptions, but not for a primary key lookup as given by the OP, never =)
–
Vincent MalgratFeb 13 '13 at 8:56